Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method, comprising: receiving, at a device in a network, traffic information regarding one or more secure sessions in the network; associating, by the device, the one or more secure sessions with corresponding encrypted traffic flow indicated by the received traffic information; making, by the device, a self-signed certificate determination for an endpoint domain of a particular secure session of the one or more secure sessions based on the corresponding encrypted traffic flow for the particular secure session indicating that the endpoint domain issued a self-signed certificate; and causing, by the device, the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.
2. The method as in claim 1 , wherein the malware detector causes performance of a mitigation action in the network when the malware detector detects malware.
A system and method for detecting and mitigating malware in a network involves monitoring network traffic to identify malicious activity. The system includes a malware detector that analyzes network data for patterns indicative of malware, such as unusual traffic behavior, unauthorized access attempts, or known malicious signatures. When the detector identifies malware, it triggers a mitigation action to prevent further damage. Mitigation actions may include isolating infected devices, blocking malicious traffic, or alerting network administrators. The system operates in real-time, continuously scanning network communications to detect and respond to threats promptly. This approach enhances network security by proactively identifying and neutralizing malware before it can spread or cause harm. The method ensures that detected malware does not persist in the network, reducing the risk of data breaches or system compromises. The system is designed to integrate with existing network infrastructure, providing an additional layer of security without disrupting normal operations. By automating the detection and mitigation process, the system minimizes the need for manual intervention, improving efficiency and response times. The solution is particularly useful in environments where network security is critical, such as corporate networks, financial institutions, or government systems.
3. The method as in claim 1 , wherein the malware detector is configured to treat a self-signed certificate for a domain as an indication of presence of malware in the network.
4. The method as in claim 1 , wherein the traffic information regarding the one or more secure sessions comprises Hypertext Transfer Protocol (HTTP) access logs regarding HTTP traffic associated with the one or more secure sessions.
5. The method as in claim 1 , wherein making the self-signed certificate determination for the endpoint domain of the particular secure session comprises: determining, by the device, that the endpoint domain used a self-signed certificate in the particular secure session based on the particular secure session not being associated with certificate validation check traffic in the corresponding encrypted traffic flow.
This invention relates to network security, specifically detecting the use of self-signed certificates in secure communication sessions. The problem addressed is the difficulty in identifying whether an endpoint domain in a secure session is using a self-signed certificate, which can indicate potential security risks or unauthorized access. The method involves analyzing encrypted traffic flows to determine if a secure session is associated with certificate validation check traffic. If no such validation traffic is detected, the system concludes that the endpoint domain is using a self-signed certificate. This approach leverages the absence of standard certificate validation processes, which are typically present when a trusted certificate authority (CA) is involved. By monitoring traffic patterns, the system can infer the use of self-signed certificates without decrypting the traffic, preserving privacy while enhancing security monitoring. The technique is particularly useful in environments where certificate validation is expected but may be bypassed, such as in internal networks or when testing systems. It helps security teams identify potential vulnerabilities or misconfigurations where self-signed certificates might be used inappropriately. The method does not require access to the certificate itself, relying instead on observable traffic behavior to make the determination. This makes it scalable and applicable to large-scale network monitoring systems.
6. The method as in claim 1 , wherein associating the one or more secure sessions with the corresponding encrypted traffic flow comprises: matching, by the device, client addresses of the one or more secure sessions with client addresses of certificate validation check traffic in the corresponding encrypted traffic flow.
7. The method as in claim 1 , wherein the corresponding encrypted traffic flow comprises a certificate revocation list (CRL) download or an Online Certificate Status Protocol (OCSP) check.
8. The method as in claim 1 , wherein the self-signed certificate determination for the endpoint domain is based on whether any of the one or more secure sessions involving the endpoint domain are associated with certificate validation check traffic in the corresponding encrypted traffic flow.
9. The method as in claim 1 , wherein receiving the traffic information regarding the one or more secure sessions in the network comprises: capturing, by the device, the traffic information regarding the one or more secure sessions in the network.
10. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive traffic information regarding one or more secure sessions in the network; associate the one or more secure sessions with corresponding encrypted traffic flow indicated by the received traffic information; make a self-signed certificate determination for an endpoint domain of a particular secure session of the one or more secure sessions based on the corresponding encrypted traffic flow for the particular secure session indicating that the endpoint domain issued a self-signed certificate; and cause the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.
11. The apparatus as in claim 10 , wherein the malware detector causes performance of a mitigation action in the network when the malware detector detects malware.
12. The apparatus as in claim 10 , wherein the malware detector is configured to treat a self-signed certificate for a domain as an indication of presence of malware in the network.
13. The apparatus as in claim 10 , wherein the traffic information regarding the one or more secure sessions comprises Hypertext Transfer Protocol (HTTP) access logs regarding HTTP traffic associated with the one or more secure sessions.
This invention relates to network security systems that monitor and analyze secure communication sessions, particularly those involving encrypted traffic. The problem addressed is the difficulty in inspecting and logging encrypted traffic while maintaining security and compliance requirements. Traditional methods often struggle to provide detailed visibility into secure sessions without compromising performance or security. The apparatus includes a network monitoring system that captures and analyzes traffic information from one or more secure sessions. The system is designed to extract and log detailed traffic data, including Hypertext Transfer Protocol (HTTP) access logs, which record HTTP traffic associated with these secure sessions. This allows for comprehensive tracking of user activities, request patterns, and potential security threats within encrypted communications. The apparatus may also include components for decrypting, inspecting, and re-encrypting traffic to ensure secure transmission while enabling monitoring. The system can be integrated into existing network infrastructure to provide real-time or historical analysis of secure session traffic, aiding in threat detection, compliance reporting, and performance optimization. The focus on HTTP access logs ensures that web-based activities within secure sessions are logged for further analysis, enhancing security monitoring capabilities.
14. The apparatus as in claim 10 , wherein the apparatus makes the self-signed certificate determination for the endpoint domain of the particular secure session by: determining that the endpoint domain used a self-signed certificate in the particular secure session based on the particular secure session not being associated with certificate validation check traffic in the corresponding encrypted traffic flow.
15. The apparatus as in claim 10 , wherein the apparatus associates the one or more secure sessions with the corresponding encrypted traffic flow by: matching client addresses of the one or more secure sessions with client addresses of certificate validation check traffic in the corresponding encrypted traffic flow.
This invention relates to network security, specifically to apparatuses that manage encrypted traffic flows and secure sessions. The problem addressed is the difficulty in associating secure sessions with their corresponding encrypted traffic flows, particularly when multiple sessions or flows exist simultaneously. The apparatus includes a processor and memory storing instructions that, when executed, perform operations to establish secure sessions and encrypted traffic flows. The apparatus associates these sessions with their corresponding encrypted traffic flows by matching client addresses of the secure sessions with client addresses of certificate validation check traffic in the encrypted traffic flow. This ensures accurate tracking and management of encrypted communications, improving security and performance in network environments. The apparatus may also validate certificates, generate session keys, and decrypt traffic flows to further enhance security. The solution is particularly useful in systems handling multiple encrypted connections, such as VPNs or secure web servers, where maintaining accurate session-to-flow associations is critical.
16. The apparatus as in claim 10 , wherein the corresponding encrypted traffic flow comprises a certificate revocation list (CRL) download or an Online Certificate Status Protocol (OCSP) check.
17. The apparatus as in claim 10 , wherein the self-signed certificate determination for the endpoint domain is based on whether any of the one or more secure sessions involving the endpoint domain are associated with certificate validation check traffic in the corresponding encrypted traffic flow.
18. The apparatus as in claim 10 , wherein the apparatus receives the traffic information regarding the one or more secure sessions in the network by: capturing the traffic information regarding the one or more secure sessions in the network.
A network monitoring apparatus captures and analyzes traffic information from secure sessions within a network. The apparatus is designed to monitor encrypted communications, such as those using secure protocols like SSL/TLS, to detect anomalies, threats, or performance issues. By capturing traffic data, the apparatus can identify patterns, track session behavior, and enforce security policies. This capability is particularly useful in environments where encrypted traffic must be inspected for compliance, threat detection, or troubleshooting without decrypting the actual payload. The apparatus may integrate with existing network infrastructure, such as firewalls or intrusion detection systems, to provide real-time insights into secure communications. The captured traffic information can be used to generate alerts, logs, or reports for network administrators, enabling proactive management of secure sessions. This solution addresses the challenge of monitoring encrypted traffic in modern networks where traditional inspection methods are ineffective due to encryption. The apparatus ensures visibility into secure communications while maintaining compliance with privacy and security regulations.
19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: receiving, at the device, traffic information regarding one or more secure sessions in the network; associating, by the device, the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information; making, by the device, a self-signed certificate determination for an endpoint domain of a particular secure session of the one or more secure sessions based on the corresponding certificate validation traffic for the particular secure session indicating that the endpoint domain issued a self-signed certificate; and causing, by the device, the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.
20. The computer-readable medium as in claim 19 , wherein the device makes the self-signed certificate determination for the endpoint domain of the particular secure session by: determining, by the device, that the endpoint domain used a self-signed certificate in the particular secure session based on the particular secure session not being associated with certificate validation check traffic in the corresponding certificate validation check traffic.
Unknown
March 30, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.